In mid-July 2020, the European Court of Justice ruled that the Privacy Shied allowing transferring data on EU residents to the United States is invalid. Privacy Shield certification was granted to companies if they met certain requirements regarding data security and how the information was used.
The agreement between Washington and Brussels ensured that U.S. companies adhered to E.U. standards on data protection and privacy. In exchange, businesses were able to shift personal data on E.U. residents. But the high court ruled that that American laws do not provide adequate protection for personal data.
While the ruling does not kill data transfer entirely, it still has major implications for users of ERP software systems and other businesses that hold information on European customers, suppliers and employees, and want to move it across the Atlantic.
As a result, U.S. businesses that have been shifting personal data to America from the E.U. now need to find a new process or they will face potential fines under the Europe’s General Data Protection Regulation (GDPR).
ERP Users Need to Adapt
More than 5,300 American companies were Privacy Shield participants, including hundreds that have been shifting ERP data to the United States from Europe.
Although the ruling continues to allow one annual data transfer, there is a complication that must be taken into account: Ensuring that transferring data does not add any additional risks to security. The European court makes it clear that a more in-depth assessment of an organization’s data collection and transfer process is required.
What this means for ERP users – along with any other business shifting personal data into the U.S. – is that they need to evaluate the sensitivity and volume of data transfers as well as whether there is a genuine business need to move the information into the United States.
To justify data transfers, ERP users must assess what type of additional data security safeguards are required. While data can still be transferred “if necessary,” some clients are telling us that they are considering barring any transfers altogether.
Greater Compliance Burdens
While the Privacy Shield was a single set of compliance requirements covering all personal data, because the European court decision continues to allow Standard Compliance Contracts (SCC) the life of CIO’s and Chief Information Security Officers have become even more complicated. This is because SCC’s are specific to each data movement. A large organization might have hundreds of SCC’s in place.
Compliance officers need to work closely with counsel to understand not just what the ruling means but to understand data flows across the entire company – often one of the key purposes of ERP.
Businesses now are required to evaluate each data transfer recipient to determine whether they provide an adequate level of protection, This means assessing what type of personal data is being transferred, how it will be processed, whether it may be subject to access by government agencies for surveillance purposes and what safeguards are available.
Few businesses are able to make those assessments.
Another US-EU Clash on Privacy
This is the second time the European court has struck down a data transfer agreement between the EU and Washington, the first being when it invalidated the so-called “Safe Harbor” rules. The United States needs to adopt a tough privacy and data security law. National regulations are sorely needed. Privacy reform should be crucial for the business interests of Silicon Valley and all ERP users.
We have devoted our legal career to negotiating and drafting ERP contracts and data privacy, including provisions in the agreements that spell out specific responsibilities in the event of a breach or leak. If you or your general counsel have questions about how this European ruling will affect either your ERP software system or your data privacy polices in general, feel free to call or send an email. We will be happy to provide you with some guidance.